Corporate boards address cyber attacksReprints
NEW YORK — How to deal with a potential cyber attack is top of mind for most company directors, but preparing them for this crisis is particularly difficult, says an expert.
“It’s not an easily understood issue for most directors,” said Alan Dye, a partner with Hogan Lovells U.S. L.L.P. in Washington. He was among speakers on a panel on crises at the Professional Liability Underwriting Society’s 2018 Directors & Officers Symposium in New York on Wednesday.
“There’s a lot of geek speak that goes on with that, so there’s a process of getting them up to speed,” Mr. Dye said. They need to be able to address an attack “in a very rapid way,” he said.
“Some boards have really attacked the issue” and developed a cyber response plan that includes designating which members will be responsible for responding to an attack, he said.
News of a ransomware attack can break quickly into the public domain before the board knows about it, “so putting together a rapid response plan is where companies are headed today,” while “a really advanced board has already run through simulations with their team,” he said.
To be ready to handle crises of all types, senior management “must identify each and every reasonable risk the business may face and then take the next step of implementing mitigation processes,” said Phil Warman, senior vice president/general counsel for SandRidge Energy Inc., based in Oklahoma City.
When it comes to being prepared, it is also important to have good relationships with your advisers, whether they are public relations or legal firms, assuring that they have a good understanding of the business before a crisis, he said.
In addition, “You need to make sure the lines of communication are open with stockholders” as well as regulators, if it is a regulated business, he said.
Mr. Warman said when a CEO is told he has been accused of financial malfeasance, very frequently his response is to issue a flat denial.
“That’s the wrong response,” he said. Instead, the board of directors must be consulted, and if the charges have “any modicum of credibility” an independent investigation conducted.
Stephen Sigmund, senior adviser with Global Strategy Group L.L.C. in New York, pointed to the impact of social media on crises. “The 24-hour news cycle has become every minute,” he said.
Where it used to take The New York Times a day to develop a story, news may now be posted within 15 minutes by a website that has no idea what a company does “and is just jumping on the story to gin up as many hits as they can.”
Mr. Sigmund said in the 1990s, companies could say a problem was caused by one or two bad apples. Now, “you have to have a more holistic response,” he said.
“The rules have changed,” said Michael Gross, New York-based vice chairman of Finsbury, a global strategic communications firm. “The standard of accountability is greater than it ever has been, with multiple stakeholders. I think companies need to recognize that.”